ubuntu12.04中shibboleth布署
0. 環境
作業系統:ubuntu12.04 shibboleth版本:2.4.4 gitlab版本:8.6
1.shibboleth架構
三台虛拟機,一台作為idp,一台作為sp,一台作為ldap Idp機器:内部IP為192.168.1.137 外部通路url為http://os.cs.tsinghua.edu.cn/mooc-idp/ SP機器:内部IP為192.168.1.136 外部通路url為http://os.cs.tsinghua.edu.cn/mooc-gitlab ldap機器:内部IP為192.168.1.138 外部通路url為http://os.cs.tsinghua.edu.cn/ldapadmin
原理:SP機器上安裝gitlab,把gitlab原有的登入認證改為通過shibboleth認證,當在gitlab登入頁面點選Shibboleth按鈕時會轉發到Idp機器,Idp機器與ldap機器連接配接,從ldap擷取屬性,Idp判斷之後傳回給SP(gitlab)
2.布署ldap
2.1 安裝OpenLDAP及可視化工具
ubuntu官方安裝流程:https://help.ubuntu.com/lts/serverguide/openldap-server.html
若有需要,請自行安裝phpldapadmin(友善網頁端通路LDAP)
該鏡像已包含phpldapadmin(友善網頁端通路LDAP),若從其他管道安裝LDAP,請自行安裝該工具。
2.2 利用eduperson.ldif建立模式eduPerson
ldapadd -Y EXTERNAL -H ldapi:/// -f <path of eduperson.ldif>
2.3 登入管理者賬号建立存儲使用者的結點,例如ou=Users,dc=cscw
或者使用指令行添加使用者結點
ldapadd -x -D "cn=admin,dc=cscw" -W -f create_group.ldif
2.4 test_ldap.py可用于測試OpenLDAP是否正常工作(修改其中的ip,baseDN以及searchFilter參數,保持與IDP中的配置一緻, 詳細可參考shibboleth倉庫中的配置檔案)
2.5 create_user.ldif用于手動建立使用者(修改其中的使用者參數),用法同create_group.ldif
在ou=Users下建立一個使用者如下圖。先點選create new entry here.然後在右邊出現的面闆點選第一項“courier Mail:Account”. 在随之出現的面闆中填寫使用者名,mail,等資訊,建立使用者。
3. 布署IDP
3.1安裝IDP
檢視此連結:http://blog.csdn.net/jenyzhang/article/details/52399734
3.2 驗證IDP與Ldap連結是否正常
跟據上述連結安裝好IDP後,下面來驗證IDP能否與Ldap正常連結。 (1) 在IDP機器上建立檔案test.py ,檔案内容如下:
import ldap
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
l = ldap.initialize("ldap://192.168.1.138")
l.set_option(ldap.OPT_REFERRALS, 0)
l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
l.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
l.set_option( ldap.OPT_X_TLS_DEMAND, True )
l.set_option( ldap.OPT_DEBUG_LEVEL, 255 )
baseDN = "ou=Users,dc=cscw"
searchScope = ldap.SCOPE_SUBTREE
retrieveAttributes = None
searchFilter = "cn=*z*"
ldap_result_id = l.search(baseDN, searchScope, searchFilter)
result_set = []
while 1:
result_type, result_data = l.result(ldap_result_id, 0)
if (result_data == []):
break
else:
if result_type == ldap.RES_SEARCH_ENTRY:
result_set.append(result_data)
print result_set
把上面内容的 ldap://192.168.1.116:389改為你的ldap的ip baseDN="ou=Users,dc=cscw" 改為你的ldap的baseDN searchFilter="cn=*Li*" 改為你在ldap建的使用者
(2)執行下面的指令:
sudo apt-get install python-ldap
python test.py
可以看到如下的結果(傳回使用者屬性),證明IDP與Ldap連結正常。
3.3 在IDP端配置LDAP驗證
在3.2中我們己經保證了能夠從IDP機器連結到Ldap機器并獲得使用者的屬性。接下來我們通過修改IDP端的配置檔案來實驗IDP與LDAP連結驗證。
3.3.1 修改handler.xml
輸入下面的指令:
vi /opt/shibboleth-idp/conf/handler.xml
注釋下面的兩段代碼 <ph:LoginHandler xsi:type="ph:RemoteUser">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
</ph:LoginHandler>
和
<ph:LoginHandler xsi:type="ph:PreviousSession">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</ph:AuthenticationMethod>
</ph:LoginHandler>
取消注釋下面的這段代碼: <ph:LoginHandler xsi:type="ph:UsernamePassword"
jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>
如下圖所示:
3.3.2 修改attribute-resolver.xml
輸入下面的指令:
vi /opt/shibboleth-idp/conf/attribute-resolver.xml
取消注釋下面的代碼并修改ldapURL,baseDN,principal,principalCredential這四個變量的值: <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldap://192.168.1.138"
baseDN="ou=Users,dc=cscw"
principal="cn=admin,dc=cscw"
principalCredential="password">
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>
</resolver:DataConnector>
如下圖:
加上下面的代碼:
<resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="email" sourceAttributeID="mail">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="commonName" sourceAttributeID="cn">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:cn" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition xsi:type="ad:Simple" id="eppn" sourceAttributeID="eduPersonPrincipalName">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eppn" />
</resolver:AttributeDefinition>
如下圖:
3.3.3 修改attribute-filter.xml
輸入下面的指令:
vi /opt/shibboleth-idp/conf/attribute-.xml
加入下面的代碼:
<afp:AttributeRule attributeID="uid">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="email">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="commonName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="eppn">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
結果如下:
3.3.4修改login.config
輸入下面的指令: vi /opt/shibboleth-idp/conf/login.config 取消注釋并修改下面的代碼: edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldap://192.168.1.138"
baseDn="ou=Users,dc=cscw"
ssl="true"
// userFilter="uid={0}";
userField="uid";
如下圖:
3.4 在IDP端配置SP原資料
(1)把在SP端生成的原資料(原資料sp-metadata.xml在下面的4.2.2 SP配置中的(4)中生成)拷貝到IDP機器的/opt/shibboleth-idp/metadata 目錄下。 通過下面代碼實作:
scp sp-metadata.xml [email protected]:/opt/shibboleth-idp/metadata
(2)運作下面代碼
chown tomcat7:tomcat7 sp-metadata.xml
(3)運作下面的代碼修改relying-party.xml
vi /conf/relying-party.xml
//add the following code
<metadata:MetadataProvider xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata" id="SPMETADATA"
metadataFile="/opt/shibboleth-idp/metadata/sp-metadata.xml" />
4. 配置SP(在SP機器進行)
4.1.在SP上部署Gitlab
4.1.1 在SP機器上安裝gitlab
檢視此連結(0-6步驟): http://blog.csdn.net/jenyzhang/article/details/52353355?locationNum=1 gitlab安裝成功的驗證:網頁通路:http://localhost 如果能通路且 直接重定向到設定密碼螢幕則證明gitlab安裝成功
4.1.2 更改gitlab外部通路url
由于SP機器的外部通路url為為http://os.cs.tsinghua.edu.cn/mooc-gitlab 是一個相對路徑,是以我們需要更改gitlab配置檔案/etc/gitlab/gitlab.rb ,使得通過外部url能證常通路。 (1)輸入下面的指令:
vi /etc/gitlab/gitlab.rb
把external_url 'http://localhost' 改為:external_url 'http://os.cs.tsinghua.edu.cn/mooc-gitlab' 儲存更改 如下圖:
(2)輸入下面的指令重新配置gitlab
sudo gitlab-ctl reconfigure
現在在浏覽器通路:http://os.cs.tsinghua.edu.cn/mooc-gitlab 可以看到gitlab登入頁面!
附:錯誤排查 檢視日志檔案:
- sudo gitlab-ctl tail
如果通路gitlab登入頁面出錯,有可能是端口占用的原因。輸入 sudo netstat -anptl 檢視端口狀态,看看80端口是不是被nginx占用?8080端口是不是被unicorn占用?如果不是,則kill占用端口的程序(很可能你的80端口被apache占用,8080端口被tomcat占用)。然後再重新執行指令sudo gitlab-ctl reconfigure,再檢視端口占用是否正确。 由于後面我們把gitlab登入方式改為shibboleh的時候需要把nginx伺服器停用,換成apache伺服器,是以這裡我們隻是把apache占用的80端口程序kill掉即可,不用改apache配置檔案。但是如果8080端口被tomcat占用的話,建議直接更改tomcat的server.xml把8080端口改掉,防止繼續占用,我們不改unicorn占用的端口(改了unicorn的端口之後shibboleth無法正常轉發)。 更改tomcat占用端口的方法為:vi /etc/tomcat7/server.xml 然後把port=“8080”改為8088,如下圖
4.2 配置SP
4.2.1 安裝apache上的shib子產品
(1)修改hosts 輸入下面的指令:
vi /etc/hosts
加入下面的代碼:
127.0.0.1 sp.edx.org sp
192.168.1.137 idp.edx.org idp
(2)安裝apache上的shib子產品 輸入下面的指令:
sudo apt-get install libapache2-mod-shib2
a2enmod shib2
通路:http://localhost/Shibboleth.sso/Status 如果顯示OK ,則證明安裝成功
4.2.2 配置SP
(1)修改shibboleth2.xml 輸入下面的指令:
vi /etc/shibboleth/shibboleth2.xml
添加下面的代碼:
//修改sp的entityID為你SP的域名
<ApplicationDefaults entityID="http://os.cs.tisinghua.edu.cn/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id">
//添加 sso
<SSO entityID="http://<domain of idp>:8080/shibboleth"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO>
//添加 session initiator
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
relayState="cookie" entityID="http://<domain of idp>:8080/idp/shibboleth" forceAuthn="true">
<SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
</SessionInitiator>
//添加 applicationOverride
<ApplicationOverride id="class" entityID="http://os.cs.tsinghua.edu.cn/mooc-gitlab"/>
如下圖:
(2)修改attribute-map.xml 輸入下面的指令:
vi /etc/shibboleth/attribute-map.xml
取消下面代碼的注釋:
<!--
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
-->
加上下面的代碼:
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn"/>
<Attribute name="urn:oid:2.5.4.3" id="cn"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
如下圖所示:
(3)修改attribute-policy.xml 輸入下面的指令:
vi /etc/shibboleth/attribute-policy.xml
注釋下面的代碼:
<afp:AttributeRule attributeID="eppn">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
如下圖所示:
(4)生成SP端的原資料
生成密鑰:(輸入下面的指令)
cd /etc/shibboleth
shib -keygen -h os.cs.tsinghua.edu.cn/mooc-gitlab
利用密鑰生成SP原資料:(輸入下面的指令)
shib-metagen -h os.cs.tsinghua.edu.cn/mooc-gitlab> /etc/shibboleth/sp-metadata.xml
生成的sp-metadata.xml類似于下面所示:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://os
.cs.tsinghua.edu.cn/mooc-gitlab/shibboleth">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
<md:KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDKjCCAhKgAwIBAgIJANFn6q+zv1LTMA0GCSqGSIb3DQEBBQUAMCwxKjAoBgNV
BAMTIW9zLmNzLnRzaW5naHVhLmVkdS5jbi9tb29jLWdpdGxhYjAeFw0xNjEwMTMw
ODQ0MTlaFw0yNjEwMTEwODQ0MTlaMCwxKjAoBgNVBAMTIW9zLmNzLnRzaW5naHVh
LmVkdS5jbi9tb29jLWdpdGxhYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAK/g5kZxXlQYbbBRrqgwOFu0I+HHkZm4DvbSnmU7HTWNMY3bc/RAFCgkRmNq
Gw3KUJ9ziKcT+PiBqW9B3NClI79nS+FllaAhZakPhaAYAjAN3rL4jDMOh/kxILI5
0FD88A8I/piQ5kvGOjMvBVGd01BZej/V17sOjtpJ3j8GqMGgffteKzffuF7x6Ybr
4x6SrdGfXEMvVeQuB9Po3aPIMMEJbl1r56Zp/5ZFBoa1eRYKpzdtSmuU2opwBDRe
+PcWJd8TaVteupoLc1YT9of9cNju+KOaVMUb1Fez9R80zwxF96HLgeehop+FVSUB
tD/SdJMsKnyoL842Hlxj2kwbCMECAwEAAaNPME0wLAYDVR0RBCUwI4Ihb3MuY3Mu
dHNpbmdodWEuZWR1LmNuL21vb2MtZ2l0bGFiMB0GA1UdDgQWBBTsTreUU3W2mbr9
cDKrQVaxD5k10TANBgkqhkiG9w0BAQUFAAOCAQEAEXX4M1x5ggFYSOtiRuT8QaSP
LiUczz3G/zUWaNHfVOj5H0mJJVBuo1acarHXK3rWVv5k0/QBw2VxQfedUa/cdz6p
fKnODWq20pBiJ1Js4oV9sn1QsMwrBCoemXUooscndcHo2v+2vbQ1FNNvb1RGTqf2
NHDP3CtLxHwil4HJbBMs+5P93CYPnkINdNdRuHi/H4GENxj4rxv1bUiGK2xalqvC
wt3+Fg3rPvdjzHDQy38Qjb77hSUBoA+OakSou+6sbWKXl87WNvb7a02R3NcjY4N+
cRl0Fo3Re7YKEeSImLi0M92lRShMsMqy+XFke7ZzazTUdnr4+rCrd22SnpY+wQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://os.cs.tsinghua.edu.cn/mooc-
gitlab/Shibboleth.sso/SAML2/POST" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://os.cs.tsinghua.e
du.cn/mooc-gitlab/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://os.cs.tsinghua.edu.cn/mooc-gitla
b/Shibboleth.sso/SAML2/ECP" index="3"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://os.cs.tsinghua.edu.cn/mo
oc-gitlab/Shibboleth.sso/SAML/POST" index="4"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
把上面的所有https換成http
(5)在SP端配置IDP原資料 首先把IDP端的原資料檔案複制到SP機器的/etc/shibboleth目錄下。 到IDP機器進入到/opt/shibboleth-idp/metadata/ 可以看到idp-metadata.xml檔案,通過下面的指令實作把idp-metadata.xml複制到SP機器 scp idp-metadata.xml [email protected]:/etc/shibboleth 然後修改SP機的shibboleth2.xml。輸入下面的指令: vi /etc/shibboleth/shibboleth2.xml 加入下面的代碼:
<MetadataProvider type="XML" file="idp-metadata.xml"/>
如下圖所示:
4.3 gitlab配置SP(在SP機器)
參考官方文檔:https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/integration/shibboleth.md
4.3.1 修改apache配置檔案
(1)輸入下面的指令: vi /etc/apache2/sites-available/default 把defult檔案改為如下的内容:
<VirtualHost *:80>
ServerName os.cs.tsinghua.edu.cn
ServerSignature Off
ProxyPreserveHost On
# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location /mooc-gitlab/>
# New authorization commands for apache 2.4 and up
# http://httpd.apache.org/docs/2.4/upgrading.html#access
Order allow,deny
Allow from all
ProxyPassReverse http://127.0.0.1:8080/mooc-gitlab/
ProxyPassReverse http://os.cs.tsinghua.edu.cn/mooc-gitlab/
</Location>
<Location /mooc-gitlab/users/auth/shibboleth/callback>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
require valid-user
</Location>
Alias /mooc-gitlab/shibboleth-sp /mooc-gitlab/usr/share/shibboleth
<Location /mooc-gitlab/shibboleth-sp>
Satisfy any
</Location>
<Location /mooc-gitlab/Shibboleth.sso>
SetHandler shib
</Location>
#apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !/mooc-gitlab/Shibboleth.sso
RewriteCond %{REQUEST_URI} !/mooc-gitlab/shibboleth-sp
RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA]
RequestHeader set X_FORWARDED_PROTO 'http'
# needed for downloading attachments
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 503 /deploy.html
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/apache2/gitlab.err.log
CustomLog /var/log/apache2/gitlab.acces.log "combined"
ServerAdmin [email protected]
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
(2 )激活default檔案中使用的子產品 輸入下面的指令:
a2enmod proxy
a2enmod rewrite
a2enmod headers
a2enmod proxy_http
(3 )重新開機apache服務 輸入下面的指令:
service apache2 restart
4.3.2 修改gitlab配置檔案gitlab.rb
(1)輸入下面的指令:
vi /etc/gitlab/giltlab.rb
把 nginx['enable']=true 改為nginx['enable']=false 并加入下面的内容
gitlab_rails['omniauth_allow_single_sign_on'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_providers'] = [
{
"name" => 'shibboleth',
"args" => {
"shib_session_id_field" => "HTTP_SHIB_SESSION_ID",
"shib_application_id_field" => "HTTP_SHIB_APPLICATION_ID",
"uid_field" => 'HTTP_EPPN',
"name_field" => 'HTTP_CN',
"info_fields" => { "email" => 'HTTP_MAIL'}
}
}
]
(2)使配置生效 輸入下面的指令:
sudo gitlab-ctl reconfigure
驗證:此時通路 http://os.cs.tsinghua.edu.cn/mooc-gitlab/users/sign_in 可以看到在登入頁面多了shibboleth按鈕,證明己經把shibboleth登入加入到gitlab中。